Patching window is getting shorter

Internet Security Systems has published a report which shows that hackers and cyber criminals are developing malicious codes to exploit known vulnerabilities much faster than before. The X-Force Threat Insight Quarterly highlights that the number of vulnerabilities in 2005 has increased by over 33% over 2004.

Analysts from X-Force, the research and development team at ISS evaluated 4472 vulnerabilities in both hardware and software during 2005. From the public announcement of the vulnerability on the internet, the report highlights that 3.13% of threats discovered had malicious code that surfaced within 24 hours, whereas 9.38% had code that surfaced within 48 hours.

Worryingly, 12.5% of the threats had code included in disclosure. This means that malicious code had been entered into the wild as soon as the vulnerability had been published. This indicates that hackers are themselves actively looking for vulnerabilities and only publish once they have developed an exploit for them. This means the time frame between the publication of a vulnerability and the release of malicious exploit code, which is often referred to as the ’patching window‘, is getting shorter and shorter.

In addition, 50% of vulnerabilities had either an exploit and/or proof-of-concept code surface within one week. A proof-of-concept is a first version of malicious code which hackers publish on the internet to show how certain vulnerabilities can be exploited. It is common for the proof-of-concept to circulate within a relatively small group of hackers to test and improve the code. The result is ultimately a so-called exploit: malicious software code that is made to be used by a big group of hackers to take advantage of the known vulnerability. Exploits are also often published in certain hacker newsgroups to ensure a faster and wider distribution.

“We are seeing an increase in ‘zero-day exploits’ from hackers appearing at the same time the vulnerability is published,” said Gunter Ollman, Director of X-Force at Internet Security Systems. “This does not allow product developers the time to test and issue the necessary patches needed by the end-users and enterprise administrators. Therefore users without pro-active protection are quite often without protection against threats for several days or even weeks.”